Cybersecurity as a First Class Business Risk
I see a lot of commentary on the need to “treat cyber/info-security as a business issue not an IT issue”. The problem is it implies that this is not still also a technology issue. This is, of course, incorrect. The reality (being generous, what I think people really mean) is that we need to treat cyber/info-security as a first class business risk. So how do we do this, as opposed to just wishing it so. In my experience there are 3 themes you need to drive.
1. Enterprise Integration - make this part of the fabric of business decision making. Embed risk considerations into the enterprise governance apparatus (Boards, Committees, management oversight), establish or use a risk committee and make this topic a major part of that. Conduct risk assessments (quantitative and qualitative) and establish a risk appetite - with particular focus on what level of the organization in what way can accept risk or authorize exceeding stated appetite. Integrate risk considerations into all business processes - especially: strategy, business development, capital planning, budgets, hiring, promotions, employee reviews and rewards, new products, acquisition, divestment, technology investments and supply chain management.
2. Technology Integration - make this a core part of how technology is built and operated - secure products not just security products. Recognize that basic and relentless technology controls (e.g. CIS Top 20), hygiene/operational discipline are essential. They won’t stop all attacks but will stop many (depending on your threat model). Note: “basic” doesn’t mean easy - hence “relentless” is the key word. Embed automation/iterative improvement into the heart of tech delivery. Continuously monitor control effectiveness, presence, and operation. Strive for ambient controls - in preference to expecting employees/customers to be a significant part of your front-line defense.
3. Resilience & Recovery - plan for failure & constantly exercise/drill. No matter how good any organization is there will always be things that go wrong, either because the adversary is awesome or (more likely) because of some misstep, slowness, dependency or complexity. So, detect early, respond decisively, formalize accountability and test constantly (and apply lessons from tests quickly). Limit the blast radius of potential events through business and technology process adjustment (for example: data minimization). Find and fix “broken windows” [hygiene issues that while not necessarily a top risk, nevertheless signal the acceptance of sloppiness]. Integrate cyber/info-security incident response with enterprise operational resilience and business continuity approaches.
Bottom line : don’t confuse saying cyber/info-security is a business risk with actually then managing it as a first-class enterprise risk. To do that you actually have to, well, do things to make that happen.